Overview

overview

10

Static

static

PAUL DETAIL's..exe

windows7-x64

10

PAUL DETAIL's..exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 14:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PAUL DETAIL's..exe

  • Size

    817KB

  • MD5

    c5d2095e8e1f8e9af9fd19ba2c885de4

  • SHA1

    db7c115bec56a8a3672d32896db2375af842ddee

  • SHA256

    2e4663d20f62d72f1ffd25ada448dc25fba8681ad0755fdd0451f460b2dc570c

  • SHA512

    74ac28f939655b85dcf14d56df23942bee8c60a485aee361e5ebf64ffd53bb69e8b27106d7512d54130622325ab00dd917d04a9b729cfd9ddede5b8d2ecc5c66

  • SSDEEP

    6144:SqyVDmmHOegxgaoJ6rVyFHp9pK3HseCSamdVFWGmOWCouHohuC9OJ+F8Y/WGMXEg:IMMO70JMmremUVF3pWfYJMlTLGdGtF

Score
10/10
darkcloudstealer

Malware Config

Extracted

Family

darkcloud

Attributes

Signatures

  • DarkCloud

    An information stealer written in Visual Basic.

    stealerdarkcloud
  • Executes dropped EXE 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PAUL DETAIL's..exe
    "C:\Users\Admin\AppData\Local\Temp\PAUL DETAIL's..exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1500
    • C:\Users\Admin\AppData\Local\Temp\PAUL DETAIL's..exe
      "C:\Users\Admin\AppData\Local\Temp\PAUL DETAIL's..exe"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2024
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\sideris cyt 2"
      2⤵
        PID:1776
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe'" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1060
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe'" /f
          3⤵
          • Creates scheduled task(s)
          PID:812
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\PAUL DETAIL's..exe" "C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe"
        2⤵
          PID:1104
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {9645110F-32C6-4B95-9F83-D86E7F252037} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:968
        • C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe
          "C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1188
          • C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe
            "C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1800
          • C:\Windows\SysWOW64\cmd.exe
            "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\sideris cyt 2"
            3⤵
              PID:1808
            • C:\Windows\SysWOW64\cmd.exe
              "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe'" /f
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1280
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe'" /f
                4⤵
                • Creates scheduled task(s)
                PID:676
            • C:\Windows\SysWOW64\cmd.exe
              "cmd" /c copy "C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe" "C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe"
              3⤵
                PID:1380
            • C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe
              "C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe"
              2⤵
              • Executes dropped EXE
              PID:1984

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Scheduled Task

          1
          T1053

          Persistence

          Scheduled Task

          1
          T1053

          Privilege Escalation

          Scheduled Task

          1
          T1053

          Defense Evasion

          Credential Access

          Discovery

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe
            Filesize

            817KB

            MD5

            c5d2095e8e1f8e9af9fd19ba2c885de4

            SHA1

            db7c115bec56a8a3672d32896db2375af842ddee

            SHA256

            2e4663d20f62d72f1ffd25ada448dc25fba8681ad0755fdd0451f460b2dc570c

            SHA512

            74ac28f939655b85dcf14d56df23942bee8c60a485aee361e5ebf64ffd53bb69e8b27106d7512d54130622325ab00dd917d04a9b729cfd9ddede5b8d2ecc5c66

            Download Submit
          • C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe
            Filesize

            817KB

            MD5

            c5d2095e8e1f8e9af9fd19ba2c885de4

            SHA1

            db7c115bec56a8a3672d32896db2375af842ddee

            SHA256

            2e4663d20f62d72f1ffd25ada448dc25fba8681ad0755fdd0451f460b2dc570c

            SHA512

            74ac28f939655b85dcf14d56df23942bee8c60a485aee361e5ebf64ffd53bb69e8b27106d7512d54130622325ab00dd917d04a9b729cfd9ddede5b8d2ecc5c66

            Download Submit
          • C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe
            Filesize

            817KB

            MD5

            c5d2095e8e1f8e9af9fd19ba2c885de4

            SHA1

            db7c115bec56a8a3672d32896db2375af842ddee

            SHA256

            2e4663d20f62d72f1ffd25ada448dc25fba8681ad0755fdd0451f460b2dc570c

            SHA512

            74ac28f939655b85dcf14d56df23942bee8c60a485aee361e5ebf64ffd53bb69e8b27106d7512d54130622325ab00dd917d04a9b729cfd9ddede5b8d2ecc5c66

            Download Submit
          • C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe
            Filesize

            817KB

            MD5

            c5d2095e8e1f8e9af9fd19ba2c885de4

            SHA1

            db7c115bec56a8a3672d32896db2375af842ddee

            SHA256

            2e4663d20f62d72f1ffd25ada448dc25fba8681ad0755fdd0451f460b2dc570c

            SHA512

            74ac28f939655b85dcf14d56df23942bee8c60a485aee361e5ebf64ffd53bb69e8b27106d7512d54130622325ab00dd917d04a9b729cfd9ddede5b8d2ecc5c66

            Download Submit
          • memory/676-94-0x0000000000000000-mapping.dmp
            Download
          • memory/812-71-0x0000000000000000-mapping.dmp
            Download
          • memory/1060-69-0x0000000000000000-mapping.dmp
            Download
          • memory/1104-70-0x0000000000000000-mapping.dmp
            Download
          • memory/1188-76-0x00000000010B0000-0x0000000001182000-memory.dmp
            Filesize

            840KB

            Download
          • memory/1188-74-0x0000000000000000-mapping.dmp
            Download
          • memory/1280-89-0x0000000000000000-mapping.dmp
            Download
          • memory/1380-95-0x0000000000000000-mapping.dmp
            Download
          • memory/1500-55-0x0000000076201000-0x0000000076203000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1500-54-0x00000000012E0000-0x00000000013B2000-memory.dmp
            Filesize

            840KB

            Download
          • memory/1776-68-0x0000000000000000-mapping.dmp
            Download
          • memory/1800-86-0x000000000040312C-mapping.dmp
            Download
          • memory/1800-97-0x0000000000400000-0x000000000046A000-memory.dmp
            Filesize

            424KB

            Download
          • memory/1800-96-0x0000000000400000-0x000000000046A000-memory.dmp
            Filesize

            424KB

            Download
          • memory/1808-87-0x0000000000000000-mapping.dmp
            Download
          • memory/1984-98-0x0000000000000000-mapping.dmp
            Download
          • memory/1984-100-0x00000000010B0000-0x0000000001182000-memory.dmp
            Filesize

            840KB

            Download
          • memory/2024-77-0x0000000000400000-0x000000000046A000-memory.dmp
            Filesize

            424KB

            Download
          • memory/2024-57-0x0000000000400000-0x000000000046A000-memory.dmp
            Filesize

            424KB

            Download
          • memory/2024-59-0x0000000000400000-0x000000000046A000-memory.dmp
            Filesize

            424KB

            Download
          • memory/2024-56-0x0000000000400000-0x000000000046A000-memory.dmp
            Filesize

            424KB

            Download
          • memory/2024-62-0x0000000000400000-0x000000000046A000-memory.dmp
            Filesize

            424KB

            Download
          • memory/2024-63-0x000000000040312C-mapping.dmp
            Download
          • memory/2024-65-0x0000000000400000-0x000000000046A000-memory.dmp
            Filesize

            424KB

            Download
          • memory/2024-72-0x0000000000400000-0x000000000046A000-memory.dmp
            Filesize

            424KB

            Download